Lateral Movement and Privilege Escalation

Lateral Movement and Privilege Escalation

Pass-the-Hash (PtH) enables authentication using NTLM hashes without cracking passwords. Administrative hashes from compromised systems authenticate to additional machines sharing credentials. While modern mitigations like Credential Guard reduce effectiveness, PtH remains valuable for lateral movement. Various tools implement PtH, focusing on concepts rather than specific implementations.

Overpass-the-Hash (Pass-the-Key) uses Kerberos keys instead of NTLM hashes for authentication. This technique requests TGTs using extracted keys, appearing more legitimate than NTLM authentication. Kerberos authentication bypasses some NTLM restrictions while providing similar lateral movement capabilities. Understanding both techniques enables adapting to defensive controls.

Token impersonation on domain-joined systems provides assumed identities for lateral movement. Cached tokens from domain administrators or service accounts enable privilege escalation. Tools like Incognito or built-in Windows APIs manipulate tokens. SeImpersonatePrivilege combined with various potato exploits achieves SYSTEM access, potentially revealing domain administrator tokens.

WMI and PowerShell remoting provide legitimate administrative protocols repurposed for lateral movement. These "living off the land" techniques blend with normal administrative traffic. WMI enables remote command execution, file transfer, and persistence. PowerShell remoting provides interactive sessions resembling SSH. Both protocols require administrative credentials but avoid dropping tools on target systems.